How to Enable Nat-Traversal in JUNOS-ES?
How to Enable Nat-Traversal in JUNOS Enhanced Services (JUNOS-ES)?
Solution:
By default nat-traversal (NAT-T) is enabled for IKE gateways. The default NAT-T keepalive is 5 seconds. Therefore unless explicitly showing that NAT-T was disabled in the configuration, then the IKE phase 1 will attempt to use NAT-T if a NAT device is detected in the path between two peers.
You can confim if NAT-T was NOT disabled by viewing the configuration for the IKE gateway.
From J-Web:
Purpose:You can confim if NAT-T was NOT disabled by viewing the configuration for the IKE gateway.
From J-Web:
- Navigate to Configuration > Quick Configuration > VPN > IKE.
- Confirm that the Disable NAT-Traversal box is NOT checked.
- From operational mode, enter command:
show configuration security ike gateway <gateway name>
- Confirm that there is no-nat-traversal is NOT in the configuration.
Example:
root@CORPORATE> show configuration security ike gateway dialup-ike
ike-policy ike-policy1;
dynamic {
user-at-hostname "remote@acme.com";
connections-limit 10;
ike-user-type shared-ike-id;
}
no-nat-traversal;
external-interface ge-0/0/3.0;
xauth access-profile xauth-users;
Configuration
